nanog mailing list archives

Re: Detecting Attacks

From: Valdis.Kletnieks () vt edu
Date: Sun, 12 Jun 2016 12:04:12 -0400

On Fri, 10 Jun 2016 22:22:31 -0700, subashini hariharan said:

The aim is to detect DoS/DDoS attacks using the application. I am going to
use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log
Analytics).


Bad approach.  At that point, not only is the application being DDoS'ed,
but now your logging system may be overwhelmed as well.  And a favorite
attack method is to throw a DDoS at one application (your http server, for
instance), and while you're drowning in logfiles, slip in an exploit for
something else (you *did* patch that tftpd server, right?)

Also, the vast majority of DDoS attempts are just fill-the-pipe attacks,
which often don't even bother attacking an application, just an IP address.
This leverages the fact that there's a lot of routers that can switch average
sized packets at line speed, but not minimum sized packets. So the link
falls over faster if it's getting pounded with ICMP Echo Request packets
or TCP SYN packets than if it's getting 800-byte http requests.

Attachment: _bin
Description:

Current thread:

Detecting Attacks subashini hariharan (Jun 11)
- Re: Detecting Attacks Suresh Ramasubramanian (Jun 11)
- Re: Detecting Attacks Otto Monnig (Jun 11)
- Re: Detecting Attacks Valdis . Kletnieks (Jun 12)
- Re: Detecting Attacks Pavel Odintsov (Jun 12)
- <Possible follow-ups>
- Detecting Attacks subashini hariharan (Jun 11)
  - Re: Detecting Attacks joel jaeggli (Jun 12)
- Re: Detecting Attacks alvin nanog (Jun 11)